Risk and compliance functions are used to considering the effectiveness of their approaches against good practice guidelines and regulatory requirements. The same sort of rigour should be applied to considering the efficiency of risk and compliance in the business. This can result in a lower cost, more efficient and effective operating model, and an increased return on the investment in risk and compliance activity.
Risk management and regulatory compliance are well-established disciplines in financial services, yet there continue to be challenges around risk effectiveness, and increasingly about efficiency. Why is this, and what can companies do about it?
Risk management is the art of helping an organisation to achieve its objectives by understanding the uncertainties that it is susceptible to, and – most importantly – doing something about them through its strategy, business activity and decision making.
Risk management and compliance functions have been a feature of the organisational models of financial services and insurance companies for some time. Yet we see increasing numbers of companies considering how to enhance risk and compliance approaches to increase not just their effectiveness but also their efficiency.
No organisation wants to reduce the effectiveness of risk management or increase regulatory scrutiny. However, while systems may be effective in meeting regulatory expectations, increasingly organisations can feel they have the worst of all possible worlds - an approach which they do not feel is providing benefits, while being cumbersome and expensive to operate.
Sometimes the board, CEO and CRO and/or Chief Compliance Officer have not had a clear and honest conversation around what the focus, scope and remit of roles needs to be at a point in time, and how priorities can be balanced. In the absence of clear guidance, control functions have no option but to focus on what they see as the key priorities; but without having a clear steer about needs and priorities, frustrations can arise on all sides.
If expectations are initially clear, stakeholder expectations can change over time. Organisations can increase in size. Owners can change. Perceived levels of risk to regulators’ statutory objectives can change. Regulatory views on how organisations ought to be managing their risks also evolve and change, as their objectives change and as their own stakeholders clarify expectations. This can place more guidance and requirements on firms. Even where these are not aimed at the risk function directly, these changes typically require the risk function to re-consider its approaches in the context of changing stakeholder requirements.
We often see, through regular consideration of mandates and effectiveness reviews, companies seeking to get a view on the effectiveness of their second line functions. However, all too often this consideration can focus on the coverage and approach to processes and reporting, without giving sufficient consideration of the impact of the functions – how do they and their processes have an impact on decisions. They produce a lot of volume and input, but do they provide valued insight and output?
It is often said, risk management and compliance are everyone’s business. In other words, effectiveness and efficiency of risk management and compliance is a business challenge and not just the challenge of the risk and compliance functions themselves. Fundamentally, it is about a dialogue - how the rest of the business (the first line) can deliver against internal and external risk management expectations.
Often first line resourcing of risk and compliance activities can be a significant source of tension within a business. Many businesspeople still feel risk and compliance is 'done to' them rather than 'done with' them, by technical experts who lack business experience and pragmatism. This can have a negative impact on their confidence and ability to make risk-based decisions.
Equally, some risk and compliance functions feel they are the only people worrying about managing risk and regulatory compliance and are making up for the deficiencies of the wider business, which detracts from their ability to provide support and challenge.
For many years, the change agenda of leaders of risk and compliance functions has been dominated by the need to respond to increased regulatory requirements. As regulatory requirements can themselves be complex and ambiguous, and required implementation is typically required under relatively tight timescales, change has typically been undertaken in discrete projects led by technical experts. As a result, the focus of project delivery is often about ensuring the core activity gets delivered in line with required deadlines.
While in the past companies under pressure to meet deadlines would follow an ineffective ‘tick box’ type approach, requirements are now much more principles based. As a result, requirements are typically met by ‘layering on’ additional activities or sometimes by creating a new ‘framework.’ Few organisations typically feel they have the time and space to consider how they can refine their operating model more holistically to reflect regulatory requirements ‘by design’ and capture wider business benefits.
While these approaches could ensure that regulatory expectations are met, they do not typically contribute to the effectiveness and efficiency of risk management. Sometimes we hear concerns about the costs of ‘layering on’ these changes, and the extent to which risk management and compliance across an organisation is efficient. In other cases, we see increasing confusion in the business about how different initiatives fit together. Sadly, it is much less often we hear people speaking of the tangible business benefits of the work.
While there is value that can be delivered by seeking to enhance the efficiency of risk and compliance activities in the business, it is important to recognise that this work is complex and stakeholder expectations are critical. Regulators are focused on ensuring effective risk and compliance arrangements so changing arrangements from the perspective of efficiency risks being seen as negative – a reduction in focus, and therefore of effectiveness - with the risk of increased regulatory scrutiny.
As a reaction to perceived inefficiencies, and sometimes as part of a broader cost reduction programme, sometimes first line and finance teams start to focus only the efficiency of the processes and resources that allow the business to manage its risks in a timely manner. There is a danger that this approach will fail to consider the required effectiveness. If efficiency is considered on its own, or without a lens on effectiveness, there can be unintended consequences for the risk management and compliance in the business and alignment with regulatory expectations. This can happen inadvertently; particularly where requirements are complex or were implemented in a 'layered' manner with interdependencies that are not well understood.
To mitigate these risks and build a sound business case, we typically recommend a focused diagnostic phase. This has proved to be of value across a number of types of projects – whether looking at a specific process area (such as the effectiveness and efficiency of a strategy and planning process), specific areas of business decision making, or at a particular problem or challenge (such as inefficiencies and overlaps between risk and compliance).
We recommend this approach for three reasons:
A diagnostic phase will help by exploring the challenges and identifying the most cost-effective solution options, which can then be assessed and considered in more depth, saving time and effort.
Assessing and improving effectiveness and efficiency is more than an analytical challenge. It is also a communication and engagement challenge with the client and with senior management. The role of the project sponsor, typically the CRO, CEO or CFO, is vital in laying out initial hypotheses about effectiveness and efficiency, and guiding engagement with senior management.
While these projects typically start as an opportunity to validate concerns about effectiveness and efficiency, and develop solutions for remediation, it is not unusual for the engagement process to lead to a significant change in perspective on the nature of the problem, or the best solution to resolve it. This makes it even more important to engage an external perspective in this work. Equally, it is important that the process of coming to solutions is collaborative. Solutions created in partnership with key stakeholders in the business are more likely to be efficient, and sustainable for the longer-term.
Risk and compliance functions are used to considering the effectiveness of their approaches against good practice guidelines. The same sort of rigour should be applied to considering the efficiency of risk and compliance in the business through:
In subsequent articles and posts we will explore challenges and opportunities we have helped clients address and capture. We will provide tangible examples and practical tips as to how organisations can enhance the efficiency and, through this, the effectiveness of their risk and compliance approaches.
We are experienced in looking at the effectiveness of risk and compliance, and are increasingly helping organisations to enhance the efficiency and effectiveness of risk and compliance approaches through:
For an initial discussion, please get in touch with Justin Elks or Isaac Alfon.